Quantifying and Analyzing Information Security Risk from Incident Data

Abstract

Multiple cybersecurity risk assessment and root cause analysis methods propose incident data as a source of information. However, it is not a straightforward matter to apply incident data in risk assessments. The paper trail of incident data is often incomplete, ambiguous, and dependent on the incident handlers routines for keeping records. Current incident classification approaches classify incidents as one specific type, for example, “Data spillage,” “Compromised information,” or “Hacking.” Through incident analysis, we found that the current classification schemes are ambiguous and that most incident consists of additional components. This paper builds on previous work on incident classifications and proposes a method for quantifying and risk analyzing incident data for improving decision-making. The applied approach uses a set of incident data to derive the causes, outcomes, and frequencies of risk events. The data in this paper was gathered from a year of incident handling from a Scandinavian university’s security operations center (SOC), and consists of 550 handled incidents from November 2016 to October 2017. By applying the proposed method, this paper offers empirical insight into the risk frequencies of the University during the period. We demonstrate the utility of the approach by deducting the properties of the most frequent risks and creating graphical representations of risks using a bow-tie diagram. The primary contribution of this paper is the highlighting of the ambiguity of existing incident classification methods and how to address it in risk quantification. Additionally, we apply the data in risk analysis to provide insight into common cyber risks faced by the University during the period. A fundamental limitation is that this study only defines adverse outcomes and does not include consequence estimates.